The present invention relates to a network controller and a network control system for transferring packets on a network between networks, and more particularly, to a network controller and a network control system capable of effectively detecting inappropriate traffic from large volumes of traffic, and controlling the transfer of such traffic.
As the use of the Internet or LANs increases, the significance of stably operating such networks is increasing accordingly. In particular, the Internet allows an unspecified number of users to use various applications. Therefore, occurrences of traffic overloads that exceed the assumptions of Internet service providers, or traffic caused by fraudulent activities such as attacks or spreading of network worms are highly likely. Thus, there exists a problem in detecting and controlling such traffic in order to secure stability of normal communication.
Intrusion detection systems are known as a typical technique to address this problem. An intrusion detection system involves maintaining in advance patterns of malicious packets as a database, and detecting malicious packets by comparing received packets with the contents of the database. Since an intrusion detection system compares packets to be tested with a huge database of malicious packets, its processing speed can become an issue. However, methods for speeding up processing, for instance by narrowing down in advance the contents of databases to be compared against according to the types of servers existing within a secured network have been disclosed (see for instance JP-A-2003-223375).
In addition, as a technique to handle occurrences of excessive traffic that may trigger network congestion, methods such as determining in advance targets to be monitored on a per-user or per-computer basis, measuring information such as traffic volume for each monitoring target, and upon occurrence of congestions performing rate limiting on traffic with high traffic volumes have been disclosed (see for instance JP-A-2001-217842).
Furthermore, recently traffic analysis methods such as using basket analysis for high-speed extraction of traffic with predetermined characteristics that occupy wide bands in networks such as Internet backbone networks through which vast volumes of traffic flow, have been disclosed (see for instance JP-A-2005-285048). Basket analysis is a data mining method commonly used for analyzing data to determine which combinations of products are purchased together in retail stores and the like.
The technique disclosed in JP-A-2003-223375 attempts to speed up processing in an intrusion detection system that relies on pattern matching to detect malicious packets by reducing the patterns to be matched. This may be effective in, for instance, a network of a scale comparable to an entrance of an organizational network where only limited services are used. However, a ceiling exists on processing speed since pattern matching is performed for each packet, and therefore the technique is incapable of handling traffic of a scale comparable to Internet backbone networks.
The technique disclosed in JP-A-2001-217842 attempts to determine in advance monitoring targets, and manage the volumes of used traffic of the monitoring targets with a database. This technique may be sufficient for use in a limited environment of the monitoring targets. However, when applying it to an Internet backbone network through which an unspecified volume of traffic such as computers flows, it becomes difficult to determine in advance monitoring targets. Even if the technique is applied, it will require vast resources such as memory.
The technique disclosed in JP-A-2005-285048 may overcome the problems of processing ability or required resources such as memory described in JP-A-2003-223375 or JP-A-2001-217842. However, the technique does not consider acquiring information necessary to accurately determine characteristics of extracted traffic (for example DDoS attack, network worm outbreak, P2P file exchange). Therefore, it is difficult to prevent miscontrol of extracted traffic when attempting to perform prohibition and other controls on the extracted traffic.